Cryptography-Digest Digest #700, Volume #11 Thu, 4 May 00 00:13:01 EDT
Contents:
Re: ASCII encrypt and decrypt ("Duran Castore")
Re: Fixed: Sboxgen tool (Tim Tyler)
Re: GPS encryption turned off (Paul Rubin)
Re: Silly way of generating randm numbers? ("Douglas A. Gwyn")
Re: OAP-L3: Semester 1 / Class #1 All are invited. ("Douglas A. Gwyn")
Re: GPS encryption turned off (Paul Rubin)
Re: RC5 math (Scott Contini)
Re: Fixed: Sboxgen tool (Tom St Denis)
Re: GPS encryption turned off (Nicol So)
Re: Cascading Crypto Attack ("Joseph Ashwood")
Re: Cipher Contest Update ([EMAIL PROTECTED])
Re: Any good attorneys? (Bryan Olson)
Re: Silly way of generating randm numbers? (Tom St Denis)
Re: about search and seisure of computers again (jungle)
Re: quantum crypto breakthru? (Danilo)
Re: AEES Advanced ("Scott Fluhrer")
Re: Silly way of generating randm numbers? ("almis")
----------------------------------------------------------------------------
From: "Duran Castore" <[EMAIL PROTECTED]>
Subject: Re: ASCII encrypt and decrypt
Date: Wed, 3 May 2000 20:17:12 -0300
How about this one?
It's not optimized, doesn't check for nulls, etc., but can be a good
start.
Private Function Shift_String(ByVal s As String, ByVal n As Integer) As
String
Dim i As Integer, t As String
t = ""
For i = 1 To Len(s)
t = t & Chr((Asc(Mid(s, i, 1)) + n) Mod 256)
Next i
Shift_String = t
End Function
Duran Castore ([EMAIL PROTECTED]).
Dan <[EMAIL PROTECTED]> escreveu nas not�cias de
mensagem:ccKN4.72$[EMAIL PROTECTED]
> Anyone know how to use VB to write a code convert MS word to ASCII?
>
> Example .... like
>
> HAL if you encrypt by +1 using ASCII; it will become IBM.
>
> Thank.
>
>
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Fixed: Sboxgen tool
Reply-To: [EMAIL PROTECTED]
Date: Wed, 3 May 2000 22:38:08 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: [...] The SAC test actually works now. I misunderstood the changed bit
: count must equal have the output size, it's suppose to be at least
: half.
This doesn't sound /quite/ right to my ears:
SAC says that if you flip a particular input bit, half the output bits
flip - *if you consider all possible input vectors*.
In other words, the /probability/ of each output bit flipping, on flipping
any input bit, is 1/2.
Whether - for a particular input - half, more than half, or less than half
the output bits flip (when a single input bit is toggled) has not got much
to do with it.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Breast is best.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: GPS encryption turned off
Date: 4 May 2000 00:05:46 GMT
In article <[EMAIL PROTECTED]>,
Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
>> I wonder on which you base that "almost certainly". It was
>> trivial to turn off; it's equally trivial to turn back on.
>
>There's a couple of interesting side effects of the decision. One is that
>turning is back on becomes a sort of threat -- a gesture of sincerity like
>raising the alert status of military units.
I don't think SA will ever be turned back on.
1) It will cause huge civilian disruption if they turn SA back
on, once it has been off for a while.
2) The intention to turn SA off has been public for several years.
The US military now has means to selectively deny positioning to
adversaries which don't involve SA (i.e. they can locally jam the
GPS signal for others while being able to use it themselves).
This is quite a technical feat, and until it was accomplished,
SA had to stay on. But now SA is no longer needed.
The "threat" you're envisioning won't take the form of global SA
reactivation, but rather will take the form of GPS stopping working
altogether over a specific area.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Silly way of generating randm numbers?
Date: Thu, 04 May 2000 00:21:35 GMT
almis wrote:
> However; is it possible to generate a sequence of numbers (random
> not considered) which is impossible to reproduce even with the
> algorithm?
> Yes ! Certain classes of transcendentals have the property that the
> only way to
> reproduce the sequence is to try all (or guess) generating numbers.
Presumably, any actual implementation of this method would have to
pick some parameters, so the irreproducibility of the method would
be no better than the irreproducibility of the parameter selection.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: OAP-L3: Semester 1 / Class #1 All are invited.
Date: Thu, 04 May 2000 00:27:08 GMT
Xcott Craver wrote:
> Secure doesn't just mean secure today.
Indeed, "OAP" is supposed to stand for "Original *Absolute* Privacy".
"Absolute" is a strong claim that requires equally strong
justification; an argument that "there are too many combinations"
has historically been shown to be inadequate justification for such
a claim.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: GPS encryption turned off
Date: 4 May 2000 00:27:13 GMT
Doug Stell <[EMAIL PROTECTED]> wrote:
>Also, they are trying to phase out the current encryption scheme and
>go to a new one that is ultra-secure and ultra-secret. Not even the
>GPS manufacturer or trusted manufacturer of crypto equipment is
>allowed to know what it uses. It also supports Over The Air Rekey. The
>idea is that some GI could leave his GPS receiver in a bar somewhere
>and it will be useless in a very short time.
Interesting. Are you saying they're going to rekey all the receivers
*except* the one left in the bar? How?! Of course it's just a matter
of time before someone captures a unit and reverse engineers the
algorithm. Surely this has already been done (I mean by foreign
intelligence agencies, not sci.crypt nerds) for the existing algorithm.
------------------------------
From: [EMAIL PROTECTED] (Scott Contini)
Subject: Re: RC5 math
Date: 4 May 2000 02:03:03 GMT
In article <[EMAIL PROTECTED]>,
Richard Parker <[EMAIL PROTECTED]> wrote:
><[EMAIL PROTECTED]> wrote:
>> Is there a paper available that describes RC5 in mathematical terms
>> including analysis of its strength?
>
>The RC5 encryption algorithm was written by Ronald L. Rivest, who is one of
>the original founders of RSA <http://www.rsalabs.com/>. Information about
>his cipher designs can generally be founds on the RSA website. The first
>published paper in which Rivest described RC5 is available from RSA:
>
> R.L. Rivest, "The RC5 encryption algorithm, "Proceedings of the
> 2nd Workshop on Fast Software Encryption, Springer-Verlag, 1995,
> pp. 86-96.
> <ftp://ftp.rsasecurity.com/pub/rsalabs/rc5/rc5.ps>
>
>A good overview of the analysis that has been done on RC5 has also been
>prepared by RSA:
>
> B.S. Kaliski Jr. and Y.L. Yin, "On the Security of the RC5
> Encryption Algorithm," RSA Laboratories Technical Report TR-602,
> 1998.
> <ftp://ftp.rsasecurity.com/pub/rsalabs/rc5/rc5-report.pdf>
>
>The best known attack on RC5 is differential cryptanalysis, and the best
>published differential cryptanalysis of RC5 is by Knudsen and Meier:
>
> L.R. Knudsen and W. Meier, "Improved differential attack on RC5,"
> Advances in Cryptology, Proceedings of Crypto'96, LNCS 1109,
> Springer-Verlag, 1996, pp. 216-228.
> <ftp://ftp.esat.kuleuven.ac.be/%2Fpub/COSIC/knudsen/rc5.ps.Z>
>
>-Richard
>
The best attack I think is the result of Biryukov and Kushilevitz
presented in Eurocrypt '98. They used a better (more general) notion
of difference than Knudsen and Meier (and Kaliski and Yin). This is
all described in the technical report by Kaliski and Yin.
Scott
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Fixed: Sboxgen tool
Date: Thu, 04 May 2000 02:13:35 GMT
Tim Tyler wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> : [...] The SAC test actually works now. I misunderstood the changed bit
> : count must equal have the output size, it's suppose to be at least
> : half.
>
> This doesn't sound /quite/ right to my ears:
>
> SAC says that if you flip a particular input bit, half the output bits
> flip - *if you consider all possible input vectors*.
I do a double loop
for x = 0 to n-1
for y = 0 to log2(n)
if HT[f(x) xor f(x xor (1 << y))] < log2(n)/2
return non_sac.
> In other words, the /probability/ of each output bit flipping, on flipping
> any input bit, is 1/2.
Well I think you can get by checking that at least half the bits change
when one input changes. Which bits change is upto the linearnity of the
function. Obviously if it's non-linear it will be a random subset of
bits that change.
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Subject: Re: GPS encryption turned off
Date: Wed, 03 May 2000 23:00:37 -0400
Reply-To: see.signature
Paul Rubin wrote:
>
> Doug Stell <[EMAIL PROTECTED]> wrote:
> > ... It also supports Over The Air Rekey. The
> >idea is that some GI could leave his GPS receiver in a bar somewhere
> >and it will be useless in a very short time.
>
> Interesting. Are you saying they're going to rekey all the receivers
> *except* the one left in the bar? How?!
It's not that difficult. Periodic rekeying of all authorized receiver
units is routinely done in satellite TV.
--
Nicol So, CISSP // paranoid 'at' engineer 'dot' com
Disclaimer: Views expressed here are casual comments and should
not be relied upon as the basis for decisions of consequence.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Cascading Crypto Attack
Date: Wed, 3 May 2000 19:53:49 -0700
That is often a problem, simply examining the most basic of
attacks, exhaustive key search. The likely number of
different potential plaintexts (for strong cyrptography)
should be in excess of 2^(n-1), for large n the difference
is not very useful (I have no more ability to filter 2^127
than I have 2^128). The only advantage it would have is
against lopsided ciphers, those ciphers with larger keys
than blocks, where it could offer a faster version of brute
force. It is regardless simply a nother method of brute
force.
Joe
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I think that the big problem is that there could be a
large number of
> probable plaintexts. The real plaintext is one among
these. But the
> analyst has difficulty to know which one is the right one.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Cipher Contest Update
Date: Thu, 04 May 2000 02:58:09 GMT
Hi,
Is there any place where we can access and view the analysis and
comments on the ciphers? For example Matt Fisher's comments on LETSIEF?
Raphael
In article <[EMAIL PROTECTED]>,
"Patrik J�rnefelt" <[EMAIL PROTECTED]> wrote:
> "Adam Durana" <[EMAIL PROTECTED]> writes:
>
> > Hello,
> >
> > The contest started about two weeks ago, and so far I have only
received ONE
> > submission. Boris Kazak submitted a cipher named LETSIEF (Feistel
> > backwards). Matthew Fisher was able to perform differential
analysis on it,
> > and Mr. Kazak resubmitted his cipher. LETSIEF2 is still in the
running and
> > I have no heard of any attacks on it yet.
>
> [http://www.wizard.net/~echo/crypto-contest.html]
>
> Hmmm.. from the webpage: "Weaknesses found on variants of entries,
such
> as reduced round variants, will be posted along with the cipher in the
> listing but will not get the cipher removed."
>
> "If a weakness is found in a cipher in either listing it will be
> removed, and the author has the option to resubmit it once she or he
> corrects the problem."
>
> Those seems to be mutex, is it removed or not? Since LETSIEF is not
> listed I assume you do remove 'broken' ciphers. I also assume the
> contest's purpose is not to push an AES alternative but rather 1) be
> fun, 2) educate & enlighten, 3) a place to gather the various design
> ideas which pop up here. So, imho, you should definitly make Fishers
> comments (and any future relevant comments on any of the ciphers)
> available. We learn by mistakes. Preferably someone elses. ;)
>
> Also, online viewing of the paper of the cipher would be
> appreciated. Or at least a short description. Being forced to download
> a .zip file is not particulary nice at all. Just my 0.02 euros.
>
> --
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Any good attorneys?
Date: Thu, 04 May 2000 03:08:59 GMT
I wrote:
> Tom St Denis wrote:
>
> > I still have some reading todo (I know basic EG right now) but I am
> > pretty sure you can get by with smaller ciphertext by using
> > sub-groups...
[...]
> Yes, you can work in a sub-group of large prime order, just
> as DSA does. [...]
Hmmm, on second thought, since you asked for smaller
ciphertext, that alone doesn't help.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Silly way of generating randm numbers?
Date: Thu, 04 May 2000 03:22:02 GMT
Richard Heathfield wrote:
>
> Julio C�sar wrote:
> >
> > I dont know if this could help, but pi is in no way random.
> >
>
> For a contrary viewpoint, see Knuth, TAOCP, Vol II, p41.
Actually he begins that chapter by noticing the patterns in pi.... not a
good counterexample.
Tom
--
Want your academic website listed on a free websearch engine? Then
please check out http://tomstdenis.n3.net/search.html, it's entirely
free
and there are no advertisements.
------------------------------
From: jungle <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy.anon-server,alt.privacy
Subject: Re: about search and seisure of computers again
Date: Wed, 03 May 2000 23:22:41 -0400
as you did say, common sense ... but not hype ...
what proof ? simple, documented success of recovery ...
ANY DOCUMENTED RECOVERY ever made ...
JimD wrote:
>
> On Wed, 03 May 2000 00:20:10 -0400, jungle <[EMAIL PROTECTED]> wrote:
>
> >"by facts not by myths", please ...
> >
> >instead of quantifies such as :
> >possible ???
> >unlikely ???
> >enormously expensive ???
> >maybe ???
> >attempt ???
> >hope ???
> >
> >any real facts ?, please ...
>
> What proof (other than common sense) is required?
that is the way how myths are created ...
do you need more examples how to create myths ?
some of the hype / myth building methods ...
believe me, I'm expert ...
trust me, I have experience in this field ...
I worked in this field almost 10 years, I know what I'm talking about ...
there is no reason not to believe him ...
did you read his paper presented at symposium ...
that is same facts what other expert are saying, it can't be wrong ...
it's possible, but it is classified therefore I can not discuss it ...
they have the best experts in the field, definitely they must made it ...
they will not discuss it, just to keep all at uncertanity distance ...
... / you / me / anyone / can continue with above MYTH building methods,
therefore I will not continue more ...
> Find out the cost of the equipment, the level of technical
> expertise required and the time it would take to recover
> a reasonable amount of data.
>
> As you must know, there are much easier and very much cheaper
> ways of getting your data.
about to get my data ? NO
to get past wiped data ONLY, not my ...
> Have you read the Gutman paper?
did you ?
the paper is describing MAYBE POSSIBLE FANTASIES ...
they will be fantasies until recovery will be made, as of today no recovery,
even ONE has been made ...
> >JimD wrote:
> >>
> >> On Sun, 30 Apr 2000 19:26:51 -0400, jungle <[EMAIL PROTECTED]> wrote:
> >> >wipe by 3 passes under PGP ...
> >> >
> >> >NO ONE recovered data, NO ONE provided prove,
> >> >that data wiped with above description has been recovered, except providing
> >> >over exaggerated statement that "it's maybe possible to recover" ...
> >> >
> >> >correct me when I'm wrong, by facts not by myths only ...
> >> >
> >> >I have f/d [ 1.44 mb ] wiped by pgp 3x information to recover, no one like to
> >> >be famous for attempting recovery, but many "experts" are arguing that data
> >> >recovery is possible after wiping it 7x times by pgp, which is more than 2
> >> >times wiped that I have ...
> >>
> >> Possible, but unlikely, and in any case enormously expensive
> >> just to make the attempt in the hope of recovering useful data.
> >
> >
>
> --
> Jim Dunnett.
>
> g4rga at thersgb.net
>
> Londoner? Vote for Ken!!
------------------------------
From: Danilo <[EMAIL PROTECTED]>
Subject: Re: quantum crypto breakthru?
Date: Thu, 04 May 2000 03:48:33 GMT
> The experiments show not only that entanglement does happen
> -- which has been known for some time -- but that it might be used to
> create unbreakable codes for the secure transmission of bank
> transactions and diplomatic communiqu�s.
>
Imagine this situation:
A diplomat from USA is in Moscow and found the most important secret of
Russians. He wants to inform CIA about that, but of coarse don't want
Russians to know that he discovered the secret. So, he will use quantum
cryptography, and send the information to his bosses. But, when he will
send the cipher ray of light, Russians will catch it and read it. So,
CIA (or the diplomat) will know that someone (probably Russians had
read the message), but that is not the point. The point is to send a
message, which someone even it receive it, will be in no position to
understand it.
So, what is the benefit of quantum cryptography in this context?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: AEES Advanced
Date: Wed, 3 May 2000 20:48:54 -0700
<[EMAIL PROTECTED]> wrote in message news:8eon5g$9no$[EMAIL PROTECTED]...
> Hi Scott,
>
> IP, EP, XOR, Substitution, Permutation, inverse to IP.
>
> #How many differ if you change one bit? If much less (or much more)
> than
> #50% change, that probably can be used in an attack - note
> #exactly which change, and make guesses on the sub-keys based on that.
>
> It is not so simple as you imagine. All sub-keys are generated from
> inserted
> Key due to chain encryption. Each S-box is derived from correspondent
> sub-key. All permutations in a round are derived from a sub-key.
If a block cipher does not act like a random permutation, then the attacker
can deduce deep things about the internals by examining exactly how it
deviates. Examining the last round is only one example, and I suspect it
may have more advantage against your cipher than you expect.
If nothing else, it is a certificational weakness, as the attacker can tell
(with high probability) whether he's looking at an example of AEES or not...
>
> #You do realize that this is dog-slow compared to most modern Ciphers.
> For
> #example, Twofish should probably do about 15 MByte/sec on
> #that same platform (not, however, counting input/output operations)...
>
> Modern Cipher says nothing. We can compare only if Modern Cipher
> implements the same architecture. Who knows what performance would have
> Twofish, which implements the same architecture? For security one should
> pay with performance. I am sure that my price is not too expansive.
Are you seriously claiming that AEES has significantly better security than
Twofish (or Serpent or Rijndael)? And, you had to ask Tom what differential
and linear cryptanalysis was? The mind boggles.
In any case, the real reason I'm responding is you neglected to respond to
my request:
> Your description appears to be a Word document. Some of us (including me)
> refuse to load an untrusted Word document -- autoload macros can do funny
> things. Could you publish it in a straight text format?
And, the source you provided does me little good -- I don't have Delphi, and
don't feel like struggling to figure out the algorithm from a language I
know little about.
--
poncho
.
------------------------------
From: "almis" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Silly way of generating randm numbers?
Date: Wed, 3 May 2000 22:39:25 -0500
Douglas A. Gwyn wrote in message <[EMAIL PROTECTED]>...
|
|Presumably, any actual implementation of this method would have to
|pick some parameters, so the irreproducibility of the method would
|be no better than the irreproducibility of the parameter selection.
Yea ! That's right.
We choose two parameters, a and b.
We let it be known that a is a positive integer, not 0 or 1.
Furthermore, b is a real quadratic irrational.
We then generate a transcendental number a^b.
We then let it be known that 30 consecutive digits of the decimal
representation of this number is:
(not necessarily starting at the first digit)
490865264772800672174440523158
We then ask: Besides trying all combinations, is there an easier
way to determine a and b, and, consequently, any number of subsequent
digits?
There are caveats on these class 1 transcendentals.
Such as b should not be equal to the square root of an even positive
integer.
Else a^b will be multiplicative and susceptible to the KLL algorithm.
The actual attack on this class of numbers is detailed in Mr. Pieprzyk,
et.al. 's
paper, section 4.1 .
Finally, to be useful, this sequence of digits should be converted to a
bit string. Here one can perform a truly one-way transformation from
decimal digits to bits whereby the original sequence of decimal digits
cannot be recovered accurately from the resulting bit string.
More if you're interested.
...al
P.S. Just for fun... Can you guess what numbers I used for a and b to get
the sequence above. (yea, I know it's way too short)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
